Description

Signing a jar allows users to authenticate the publisher.

Signs JAR files with the jarsigner command line tool.
It will take a named file in the jar attribute, and an optional
destDir or signedJar attribute. Nested paths are also
supported; here only an (optional) destDir is allowed. If a destination
directory or explicit JAR file name is not provided, JARs are signed in place.

Dependency rules

Nonexistent destination JARs are created/signed

Out of date destination JARs are created/signed

If a destination file and a source file are the same,
and lazy is true, the JAR is only signed if it does not
contain a signature by this alias.

If a destination file and a source file are the same,
and lazy is false, the JAR is signed.

Parameters

Attribute

Description

Required

jar

the jar file to sign

Yes, unless nested paths have
been used.

alias

the alias to sign under

Yes.

storepass

password for keystore integrity.

Yes.

keystore

keystore location

No

storetype

keystore type

No

keypass

password for private key (if different)

No

sigfile

name of .SF/.DSA file

No

signedjar

name of signed JAR file. This can only be set when
the jar attribute is set.

No.

verbose

(true | false) verbose output when signing

No; default false

strict

(true | false) strict checking when signing.since Ant 1.9.1.

No; default false

internalsf

(true | false) include the .SF file inside the signature
block

No; default false

sectionsonly

(true | false) don't compute hash of entire manifest

No; default false

lazy

flag to control whether the presence of a signature
file means a JAR is signed. This is only used when the target JAR matches
the source JAR

Give the signed files the same last modified
time as the original jar files.

No; default false.

tsaurl

URL for a timestamp authority for timestamped
JAR files in Java1.5+

No

tsacert

alias in the keystore for a timestamp authority for
timestamped JAR files in Java1.5+

No

tsaproxyhost

proxy host to be used when connecting to TSA server

No

tsaproxyport

proxy port to be used when connecting to TSA server

No

executable

Specify a particular jarsigner executable
to use in place of the default binary (found in the same JDK as
Apache Ant is running in).
Must support the same command line options as the Sun JDK
jarsigner command.
since Ant 1.8.0.

No

force

Whether to force signing of the jar file even if
it doesn't seem to be out of date or already signed.
since Ant 1.8.0.

Sign all JAR files matching the dist/**/*.jar pattern, copying them to the
directory "signed" afterwards. The flatten mapper means that they will
all be copied to this directory, not to subdirectories.

Sign all the JAR files in dist/**/*.jar using the digest algorithm SHA1 and the
signature algorithm MD5withRSA. This is especially useful when you want to use
the JDK 7 jarsigner (which uses SHA256 and SHA256withRSA as default) to create
signed jars that will be deployed on platforms not supporting SHA256 and
SHA256withRSA.

About timestamp signing

Timestamps record the date and time that a signature took place, allowing the signature to be verified as of that point in time.
With trusted timestamping, users can verify that signing occurred before a certificate's expiration or revocation. Without this timestamp, users can only verify the signature as of their current date.

Timestamped JAR files were introduced in Java1.5 and supported in Ant since
Ant 1.7. Since Ant 1.9.5, Ant can use unauthenticated proxies for this signing process.